Procedure checklist · Reg 17

Risk management and risk register procedure checklist

All CQC-registered providers

Download the PDF

A printable version of this checklist, formatted to work through on paper or take into a team meeting. The disclaimer below applies to the PDF too.

Source anchors

How to use this checklist

Use this checklist to audit whether the service can show a live risk register with clear risks, controls, owners, reviews, escalation decisions and closure evidence. It can be used monthly, before provider review, after a serious incident, or before an inspection-readiness review.

Risk management should be proportionate. The aim is not a long register. The aim is a register that shows the service knows its significant risks and is taking action that can be evidenced.

For each row, record:

Every Part met or Not met item should create an action with an owner and due date.

The PDF is designed for printing, or for completing on screen with a PDF viewer's Fill & Sign, Markup or comment tools. Use those tools to tick boxes and type into the lines.

Service details

Field Local entry
Service name
Location
Date completed
Completed by
Registered Manager
Provider lead
Period reviewed
Number of risks sampled

1. Register structure and ownership

Check Evidence to review Status Action owner Due date
Risk register exists and is current. Risk register, last review date.
Each risk has a clear title and description. Risk sample.
Each risk names affected people, area or service. Risk sample, service map.
Each risk has an owner. Risk register, role list.
Risk rating model is defined and understood. Procedure, governance record, staff interview.
Register includes review dates and current status. Risk register, review report.

2. Identification and assessment

Check Evidence to review Status Action owner Due date
Risks are identified from incidents, complaints, safeguarding, audits and staff feedback. Cross-linked records, governance report.
Assessment records what could happen and who could be affected. Risk sample.
Existing controls are recorded. Risk sample, evidence of controls.
Likelihood and impact are recorded with rationale for high or extreme risks. Risk rating sample.
Assessment considers rights, choices and dignity where relevant. Person-centred risk sample.
Risk is reviewed after material change or new information. Review history, incident link, update note.

3. Controls and actions

Check Evidence to review Status Action owner Due date
Controls are specific enough to be checked. Risk sample, control description.
Actions have owner, due date and completion evidence requirement. Action log, improvement record.
Overdue actions are visible and escalated. Action tracker, governance minutes.
Controls dependent on staff behaviour are checked in practice. Observation, audit, supervision record.
High or repeated risks lead to stronger controls or escalation. Risk history, escalation note.
Action completion changes the risk rating only when evidence supports it. Risk update, completion evidence.

4. Review and escalation

Check Evidence to review Status Action owner Due date
Review frequency is proportionate to rating. Procedure, risk register.
High and extreme risks are reviewed at governance. Governance minutes, risk report.
Provider-level review is visible for persistent or resource-dependent risks. Provider minutes, Nominated Individual note.
Escalation decisions record route, reason and outcome. Escalation note, external correspondence.
Immediate-risk situations are escalated without waiting for routine meetings. Incident/risk timeline, call note.
Accepted risks have senior approval and review plan. Accepted-risk record, approval note.

5. Links with other governance records

Check Evidence to review Status Action owner Due date
Serious or repeated incidents update the risk register. Linked incident, risk update.
Complaint themes update the risk register where needed. Complaint theme report, risk update.
Safeguarding concerns update the risk register where needed. Safeguarding review, risk update.
Audit failures update the risk register where needed. Audit report, risk update.
Business continuity, staffing and training risks are represented where relevant. BCP record, rota review, training matrix.
Person-level risks that show a wider service issue are escalated to service-level risk. Care record theme, risk register.

6. Closure quality

Check Evidence to review Status Action owner Due date
Closed risks have closure reason and evidence. Closed risk sample.
Closure is approved by the right person. Closure approval, role list.
Risk is not closed only because one action completed. Closure rationale, residual risk review.
Ongoing monitoring is recorded where risk remains accepted. Review plan, governance minute.
Reopened risks show why previous controls were not enough. Reopened risk record, trend review.

7. Summary judgement

Question Answer
What are the service's top three current risks?
Which high or extreme risk has the weakest control evidence?
Which risk has overdue action or overdue review?
Which repeated incident or complaint theme is missing from the risk register?
What would a CQC inspector see if they asked for the live risk register today?

8. Action log

Action Source check Owner Due date Completion evidence

9. Completion

Sign-off Name Date
Completed by
Reviewed by Registered Manager

This checklist is a working tool. It does not replace live regulator guidance, health and safety advice, safeguarding advice, the service's own risk policy, legal advice or professional judgement.

Related reading

This checklist is a starting point and a guide to what inspectors look for. It is not a complete or deployable procedure, and it is not legal advice. Working through it does not guarantee a rating or compliance. Check all regulatory references and timescales against current primary sources and adapt it to your own service.

Want help adapting this to your service?

A Verivius consultant (an ex-CQC inspector) can work through this with you against the live regulation and your service shape. The work fits inside a Mock Inspection engagement or a shorter consulting brief. A 20-minute conversation is the fastest way to find out whether the fit is right.

Get started free

Free to start, no card. A 14-day trial when you subscribe.